Hi Breno, On 19/09/19 03:31, Breno Matheus Lima wrote: > HI Stefano and Jagan, > > Em qua, 18 de set de 2019 às 04:59, Stefano Babic <sba...@denx.de> escreveu: >> >> Hi Jagan, Breno, >> >> On 17/09/19 09:13, Jagan Teki wrote: >>> Hi Breno, >>> >>> On Thu, Jul 18, 2019 at 6:06 PM Breno Matheus Lima <breno.l...@nxp.com> >>> wrote: >>>> >>>> In case CONFIG_SECURE_BOOT is enabled we need to limit the SPL size to >>>> avoid a possible HAB failure event: >>>> >>>> --------- HAB Event 1 ----------------- >>>> event data: >>>> 0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00 >>>> 0x00 0x00 0x00 0x0f 0x00 0x90 0x70 0x00 >>>> 0x00 0x01 0x10 0x00 >>>> STS = HAB_FAILURE (0x33) >>>> RSN = HAB_INV_ADDRESS (0x22) >>>> CTX = HAB_CTX_TARGET (0x33) >>>> ENG = HAB_ENG_ANY (0x00) >>>> >>>> As explained in Commit 23612534fe0f ("spl: imx6: Provide a SPL_SIZE_LIMIT >>>> default") the i.MX6 SPL size limit is 68KB. >>>> >>>> The ROM code is copying the image size defined in boot data to its >>>> respective load address, in case we exceed the OCRAM free region a >>>> HAB invalid address failure event is generated. >>>> >>>> The maximum CSF size is defined in CONFIG_CSF_SIZE, reduce SPL size >>>> limit based on this configuration. >>>> >>>> Signed-off-by: Breno Lima <breno.l...@nxp.com> >>>> --- >>>> tools/spl_size_limit.c | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/tools/spl_size_limit.c b/tools/spl_size_limit.c >>>> index 98ff491867..8902e30129 100644 >>>> --- a/tools/spl_size_limit.c >>>> +++ b/tools/spl_size_limit.c >>>> @@ -14,6 +14,9 @@ int main(int argc, char *argv[]) >>>> >>>> #ifdef CONFIG_SPL_SIZE_LIMIT >>>> spl_size_limit = CONFIG_SPL_SIZE_LIMIT; >>>> +#if defined(CONFIG_SECURE_BOOT) && defined(CONFIG_CSF_SIZE) >>>> + spl_size_limit -= CONFIG_CSF_SIZE; >>>> +#endif >>> >>> But, if the target enable HAB on SPL the size would be part of SPL >>> limit, isn't ? >> >> Indeed - it is not clear to me, too, if it is correct, even if CSF is >> added later by the NXP signing tools. The patch reduces significantly >> the available space for SPL, I just wondering why just mamoj is >> affected. Jagan, does it work without this patch applied ? >> > > When enabling CONFIG_SECURE_BOOT we increase the image length in boot > data by the size defined in CONFIG_CSF_SIZE. The HAB code will parse > the boot data structure and copy the image length defined (SPL image > plus CSF appended) to its respective load address. > > HAB code is checking if the image length defined can fit in OCRAM free > region, and logs the following HAB event in case not: > > --------- HAB Event 1 ----------------- > event data: > 0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00 > 0x00 0x00 0x00 0x0f 0x00 0x90 0x70 0x00 > 0x00 0x01 0x10 0x00 > STS = HAB_FAILURE (0x33) > RSN = HAB_INV_ADDRESS (0x22) > CTX = HAB_CTX_TARGET (0x33) > ENG = HAB_ENG_ANY (0x00) > > HAB closed targets would then fail to boot, so for that reason we > added CONFIG_CSF_SIZE into consideration. >
Clear - thanks for detailed explanation. > We can reduce the default CONFIG_CSF_SIZE but it depends on the user > specific HAB setup. I did a quick test with RSA 4K keys and couldn't > achieve 0x2000 length. That is much less as we have now. > > Do you think we should decrease default CONFIG_CSF_SIZE? I think yes - if we set it for the worst case, we reduce the SPL size so much that most boards, if they enable SECURE_BOOT, won't build. I cannot say that imx6dl_mamoj has dead code in its SPL, it is one of the board with the "state of art" in U-Boot, with DM and OF in SPL. But this is also something we decided to push into U-Boot. Anyway, every board maintainer can change it and add it to the own defconfig. Jagan, after setting CONFIG_CSF_SIZE to 0x2060 as suggested by Breno, board builds fine - but I have no idea if it can boots. Can you check this ? > Perhaps > 0x2000 plus the maximum dek blob size (0x60) would be enough for most > uses cases, users requiring more space can modify their > CONFIG_CSF_SIZE. Best regards, Stefano -- ===================================================================== DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de ===================================================================== _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot